About Malware: Your System

Computer viruses, trojans, worms, and other kinds of malware can directly impact forensic examinations. It is essential for an analyst's computer to be free of hostile software.

This FotoForensics server is capable of detecting some indicators of malware and whether your browser may be at risk. This server found the following on your browser:

Some types of computer viruses, spyware, and adware (malware) alter the information that your web browser sends to web servers. This FotoForensics server looks for altered headers in the hypertext transfer protocol (HTTP) data. This tutorial also checks for:

Common ad blockers, which help prevent your browser from becoming infected with malware. (Test #2 does not test for every possible ad blocker system. Some users may have ad blockers that are not detected.)
Insecure browser plugins, like Adobe's Flash, Microsoft's Silverlight, and Java, that are often used by malware to infect systems. These plugins should be disabled or set as click-to-play; they should not autorun. (Test #2 does not check if the plugin is configured for autorun; it only tests if the plugin exists.)
Altered content, such as unexpected links or JavaScript, can indicate hostile software on your computer or network hijacking.

Your web browser sent the following HTTP header properties to this web server:

GET /tutorial-malware.php HTTP/2.0
User-Agent:	Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
X-Forwarded-Proto:	https
Accept-Encoding:	gzip, br
Accept:	/
Referer:	http://fotoforensics.com/tutorial-malware.php
Host:	fotoforensics.com
Content-Length:
Content-Type:

If the server detected any indicators of infection, then they would be listed here. This server did not detect anything; you do not have any malware that is detectable by this server.
While this FotoForensics server can detect some indicators of infection, it cannot detect all types of malware.

Detecting nothing on this server does not mean that your system is free of malware; it only means that we did not detect anything. You should still use an anti-virus system and good online habits to prevent a malware infection.
The FotoForensics staff cannot provide assistance with mitigating any detected problems. You should contact your system administrator or a company that specializes in malware removal. FotoForensics does not specialize in malware removal.

Understanding Malware

The two main risks to your web browser come from malware and network hijacking. These threats can come from malicious computer programs, network interception, and online ads that infect web browsers.

What is Malware?

Malware is any kind of software that is designed to damage, disable, or interfere with a computer system. Typical malware includes a means for infecting systems (dissemination) and code that performs an action (payload). Common dissemination methods include:

Virus: A computer virus is a piece of code that, when loaded onto your computer, replicates and attaches itself to other files. If an infected file is transferred to another vulnerabile computer, then that computer also becomes infected.
Worm: A worm is similar to a virus, except that it has the ability to spread all by itself. If two computers are connected over a network, then a worm could potentially spread between the computers over the network connection.
Trojan: Like the fabled Trojan Horse, a trojan is a program that appears to do one thing but actually does something else. For example, a trojan malware acting as a computer game would appear as a game but would also infect your computer with non-game software.

These different distribution methods do not need to be independent. A single program may function as a trojan that also infects other files (virus) and spreads over the network (worm).

The payload describes the type of action that the malware performs. For example:

Adware: This type of payload attempts to show advertisements to the user. The person responsible for the malware may gain revenue from sales, or from click-through counters. Clicking on an ad, hovering the mouse over an ad, closing the ad, or displaying the ad to the user could generate money for the ad provider. Some adware floods the user's screen with popups or highlights random words on web pages for the purpose of generating more advertising revenue.

FTC vs Innovative Marketing Inc.

In 2008, the Federal Trade Commission (FTC) accused Kristy Ross and her company, Innovative Marketing, Inc. of deceptive marketing. The FTC found that Ross's internet business used a scareware advertising scheme that claimed to scan the victim's computer and identify risks, such as finding viruses, spyware and "illegal" pornography. They then offered to sell a security solution that they claimed would fix these problems.

During the investigation, the FTC found that the software never performed a scan and never found any actual malware. The FTC took Ross and her company to court and, in 2012, received a $163 million dollar judgement against Ross. In 2014, the Appeals Court upheld the ruling against the scareware company.

Spyware: This type of malware watches what you do and reports it to someone else; it spies on you. Spyware often works with adware, reporting your activities and interests to advertisers so they can better target you with even more advertisements.
Ransomware: Ransomware alters your computer system in order to limit the functionality. For example, it may encrypt your personal files or change your passwords. The criminal typically offers a method for payment; if you pay the ransom then they will remove the limitations. Of course, some criminals just take the payment and leave your computer system in an unusable state...
Scareware: Scareware claims to be legitimate software but really tries to scare the user into performing an action. For example, scareware may pretend to check your computer for problems, but always reports problems -- even if there are actually no problems with your computer. The scareware author hopes that fear will cause you to buy some software to resolve the fictional problem.

What is Network Hijacking?

Beyond computer infections, the network connection between your computer and the web server may be intercepted and altered. Some internet service providers (ISPs) have been known to insert in their own advertisements, replace ads with other ads, or redirect requests to services preferred by the ISP. Some network interceptions may also alter the HTTP headers in ways that could potentially change web page results.

Windstream Hijacking

In 2010, Windstream (an ISP in the United States) hijacked web searches. Users thought that they were searching the web with the Google Toolbar, but were actually being redirected to Windstream's search engine. The company had decided to intercept requests made for the Google Search engine and replaced responses with their own search results.

Following public outcry, a Windstream representative issued the following statement:

5-Apr-2010 11:33 am from Windstream

Change to this service being applied tonight
We will be making a change to this service tonight based on feedback from our customers who wish to continue to use Google for the search box. We apologize for any inconvenience this may have caused.

In 2011, the Electronic Frontier Foundation (EFF) found that several small ISPs were doing similar network hijackings.

By altering web results, redirecting network queries, and changing HTTP headers, these network providers explicitly compromise the integrity of every action that users perform online.

What is Malvertising?

Many web sites include third-party advertisements. These can appear as simple pictures or as active web components. Unfortunately, there is an increasing threat from third-party advertisements that use exploits to install malware. The term malvertising describes this combination of malware and advertising.

An ad blocker is a plugin for your web browsers that stops most ads from being displayed. This technology stops ad-based malware.

Heated Debates

There is an ongoing debate related to online advertisements and the use of ad blockers.

Online Ad Life Cycle

Most online ads follow a common life cycle:

A company creates a product and pays an advertising company to promote the product.
The advertising company contacts web sites who agree to link to the ad from their web pages. The advertising company pays the web site -- usually each time the ad is shown to a user or clicked on by a user.
The web site makes space on their web page for the advertisement and links to the advertiser.
When a user's browser requests the web page, it also receives links from the web page to the advertiser. The advertiser chooses which ad to include on the web page. This is called third-party advertising because the web site does not control the ad's content; the web site only controls the recommended placement.
If the ad is successful, then a user buys the product.

A single sale can fund thousands of advertisements, and a popular web site with lots of ads can generate a large revenue stream from these third-party advertisers.

Many web sites rely on ad revenue. Some sites have agreements with advertisers to include various product ads on web pages. The advertisers pay sites for displaying ads, while the advertisers collect and monetize information about users who visit these web sites. Without revenue from advertisements, some web sites could go out of business.

On the other side of the debate are the users who visit these web sites. Typically, web sites link to third-party advertisers and the advertisers provide their own content that is displayed on the web page. This extra step can add a measurable delay in the time it takes to render the page on the browser. In addition, ads usually have a graphical component, requiring more bandwidth than the basic web page. This can have serious financial implications for users who are charged per megabyte of data.

When ads are included on web pages, third-party ad providers immediately gain access to information about the user. They can identify what web pages you visit, how you came to the site, and information about your web browser and computer. By hosting ads on many popular web sites, advertisement providers can track users across the web sites. Advertising companies can use this information to target ads at specific users. This leads to heated debates related to privacy, including data collection, retention, distribution, and use. (That 'ad' on a web site isn't just an advertisement. It's also tracking you.)

Harmless ads typically show a product and, upon clicking, send users to a product web site. However, malicious ads have many attack options. With the ability to send content directly to a user's browser, some advertisers have used their ads to hijack web pages. Advertisements may overlap some or all of the page -- requiring acknowledgement or activation (such as clicking "OK" or closing the ad) before permitting the user to view the page's content. Some ads redirect users to sites that infect the user with malware. And in other cases, ads directly exploit browser weaknesses. These malvertisements often enable adware or spyware.

Differing Opinions

The three sides of this debate have very strong opinions.

Big Money from Ads

Google receives most of their revenue from ads placed on web pages. In 2011, Google reported over $37.9 billion in revenue (96% of their earnings) from ads.

In order to maintain their revenue stream, Google has taken steps to discourage ad blocker use. For example, Google's YouTube.com may not play videos if an ad blocker is enabled. And some versions of Google's Chrome web browser bypass ad blockers when visiting YouTube.

On the positive side, Google has been aggressively detecting and removing deceptive ads. Disabling an ad blocker for Google's services may not dramatically increase the risk of infection. Unfortunately, few companies have the same technical resources as Google. Links from other ad providers pose more risk.

Consumers: There are many ad blockers available as plugins for web browsers. By blocking and disabling ads, these add-ons speed up web site loading, lower bandwidth requirements, limit personal data collection, and stop malvertisements.
Web sites: Advertisements provide significant revenue, and ad blockers reduce this revenue stream. Some companies that are dependent on ad revenue have taken steps to work around ad blockers, either by restricting content or bypassing blockers.
Advertisers: Ads only generate revenue if they are seen by users. If advertisers cannot raise enough visibility by passively placing ads on web sites, then they will employ more active roles through malvertising and adware. Because consumer profiles have value, some advertisers resort to spyware as an additional means to collect information about users.

Typically, web sites specify where ads are placed on the page. It is up to third-party advertisers to provide the ad content and ensure that it remains in the specified area. Unfortunately, some advertisers either use active content that spreads beyond the specified area, or use the invitation to display on the web page for installing malware. The key things to remember are that (1) the web site does not control the advertisement -- they only identify where it should be displayed, and (2) the third-party advertiser can change the ad content at any time, including switching from harmless product placements to harmful malvertisements.

Home Page For The World's Business Leaders

Forbes is a large, respected news outlet. And like other news organizations, they are continually looking for new revenue sources. The company currently depends on revenue from web page advertisements. Unfortunately, ad blockers dramatically reduce this revenue stream. Screenshot of Forbe's ad blocker warning

Screenshot of Forbe's ad blocker warning

In December 2015, Forbes began forcing users to disable ad blockers. If forbes.com detected an ad blocker, then it would not send content to the browser. Instead, they displayed a message asking users to disable their ad blockers.

Unfortunately, a month later the ad campaign included by Forbes changed. Users who disabled their ad blockers were served malware that infected their computers.

This problem is not unique to Forbes. In 2009, the New York Times included an advertisement that infected computers with botnet software. In 2013, Yahoo.com and the London Stock Exchange linked to malware disguised as advertisements, in 2014 both the Hindustan Times and Times of Israel included malvertisements on their web sites, and in 2015, the UK's Daily Mail linked to ransomware. Each of these companies depend on revenue from online ads, but ended up distributing malware and infecting their users. In each case, site visitors with active ad blockers were unaffected.

Until technology is developed that permits advertisements without infecting users, there will be a constant escalation between warring parties. Advertisers will continue to develop ways to sneak ads in front of users and collect user data, web sites will attempt to bypass ad blockers or discourage their use, and ad blockers will become more draconian with their restrictions.

FotoForensics does not use ads. If you see advertisements in relationship to this site, then it indicates that either (A) your web browser is infected with adware, or (B) some system between your browser and the FotoForensics web site is hijacking your connection and inserting ads.

Altered Content

Malware, adware, and some anti-virus software may alter the web content (HTML) that appears on your browser. This includes adding, altering, or removing visible content and hyperlinks.

This tutorial performs a very simple test for altered content. Specifically, Test #3 retrieves a very simple web page and then checks if the content changed. Usually your web browser will change the HTML formatting, but not the overall content. This includes:

Removing any final newline characters at the end of the HTML.
Inserting a newline characters after the HTML body.
Converting HTML attributes from single quotes (') to double quotes (").

These in-browser alterations do not impact the reported web content. These are harmless and expected changes.

In contrast, some anti-virus software packages will insert HTML into the web page. This includes Kaspersky, Avira, Norton, and Dr.Web antivirus software. While typically harmless, this is an alteration that was not intended by the web page developer. For this test, Avira, Norton and Dr.Web are marked as safe alterations. In contrast, a warning is shown for Kaspersky Antivirus due to security concerns issued from the US and UK governments.

Any other type of alteration detected by the test denotes a significant concern. Either there is some software on your computer that is altering the web page content, or there is something on the network between your browser and the web server that is modifying content. Unexpected alterations have been observed with some free/public proxy networks.

Impact on Forensics

Having malware on your computer is never a good thing. Some malware can hijack your online accounts or steal your identity. Other types of malware permit remotely controlling your computer. Your system may end up sending spam, hosting warez (illegal software), storing pornography, or being used as part of a botnet for remotely attacking other systems on the Internet. (If you are lucky, it will just display tons of advertisements.)

Malware often enables additional malware. If you are infected with one virus, then you might quickly become infected with many different types of viruses.

As bad as it is, finding malware on a system used for forensic work is significantly worse. For example:

Significance	Explanation
Compromised data	If the investigator identifies malware on a suspect's hard drive or data files, then the question becomes: where did the malware come from? Or more specifically: Did the investigator's computer infect the suspect's data, or was the data already infected? Any changes by the investigator's system to the source data prior to analysis is tantamount to evidence tampering and calls into question the data integrity as well as the chain of custody.
Compromised results	Some malware is designed to alter documents. This is usually part of a viral infection, but can also include adware. Having unknown text added to an official report compromises the integrity of the report.
Compromised privacy	Spyware and network interception could result in the unintentional disclosure of sensitive information.
Altered data	Many legal cases rely on snapshots of web sites as evidence. In effect, they show the jury what the web site looked like at a specific time. If malware or an intercepting network provider alters the data, then the evidence does not represent what the web content actually looked like.
Suppressed evidence	Evidence can be used to convict or exhonerate a defendant. If the legal counsel can identify that an investigator used a compromised system, then they could potentially have all evidence and results from the investigator excluded from the court proceedings. Without the proper evidence, a guilty person may walk free, or an innocent person may be found guilty.
Impacted cases	Because viruses, worms, and trojans spread among computers, a single infected system in a forensic department could result in compromises to dozens or hundreds of legal cases.

Police Pay Ransomware

In 2015, the Lincoln County Sheriff's Office in Maine (United States) found that their computers were infected with "megacode". This ransomware encrypted data files and spread across the local network, impacting five different police departments. The malware demanded a ransom in order to unlock the files. If the ransom was not paid, then the files would be lost.

The police department decided to pay the ransom (about US$300). The malware then unlocked the files. However, the Sheriff's office was lucky: sometimes ransomware fails to decrypt files.

None of the statements by the police department mentioned the number of cases impacted by the ransomware, or whether the restored files were forensically sound.

If you work on forensic cases, then you likely already have best practices and documented procedures that include:

Separating sensitive computers from the Internet (an air gap).
Segmenting computer networks, so that a problem on one system does not spread to every system.
Scanning all media and computers with up-to-date anti-virus software.
Using ad blockers and plugins that restrict web site functionality and mitigate the impact from web-based attacks.

While these steps can make browsing the Internet a little more difficult, they dramatically limit the impact from malware.

What does FotoForensics detect?

Some types of malware alter the HTTP information that your browser sends to web servers. This can make infections detectable by the web server. As a forensics service, FotoForensics actively checks for indications of a malware infection. This is a passive check and does not scan your computer.

FotoForensics detects:

Detection	Explanation
Unexpected cookies	With HTTP, the web server can issue a cookie to the web browser, and the browser is expected to return the cookie to the server. Cookies provide a simple solution for session maintenance. According to the protocol, the browser will only return cookies to the site that issued them. On your computer, each cookie is associated with a specific domain. This is how your browser knows which cookies get sent to the which servers. Infected systems and hijacked network connections can result in cookies from one domain being sent to a different domain. This causes the web server to receive an unexpected cookie: a cookie that was never issued by the web server. An unexpected cookie is a clear indicator of something odd: you are either infected with some kind of malware, or your network connection is being hijacked. The public FotoForensics server does not use cookies, so your browser should never provide cookies to this server. For FotoForensics login management, such as at FotoForensics Lab, we use one cookie that manages the login session. Any other cookies received by this server are unexpected and an indicator of infection or hijacking.
Know-bad cookies	Cookies contain "field=value" sets of data. Some unexpected cookies have fields that identify known adware or spyware. This includes malware from Linkbolic, AdvMaker, AddThis, and Clkmon.
User-agent strings	Your web browser transmits a user-agent string that identifies some of the browser's capabilities. Some malware, adware, and spyware adds their capabilities to this string. This include spyware-toolbars (like Alexa, Dealio, and Hotbar), adware (e.g., SIMBAR and Zango), and other forms of known malware (e.g., iBryte and WebMoney Advisor).
Unsafe browsers	Some web browsers act as trojans. While they permit surfing the web, they also insert ads or report online activities to remote companies. As an example from 2014, The Register reported that the Chinese 'Sogou Explorer' browser sends online activity information to third-parties (spyware). At FotoForensics, we found that most Sogou Explorer browsers are also infected with iBryte adware. (And if the browser is this infected, then how compromised is the entire computer?)
Ad blockers	Ad blockers are beneficial and can protect your system from malvertisements -- hostile advertisements that use malware. This tutorial tests for the presence of common web browser ad blockers. The test uses a pseudo-ad that is detected and blocked by general-purpose ad blockers, such as AdBlock Plus, uBlock Origin, and Adguard AdBlocker. Other ad blockers, such as Privacy Badger, are not detected by this test.
Risky plugins	Plug-ins, Add-ons, and Extensions provide additional functionality to your web browser. However, these modules may also expose your browser to exploitable vulnerabilities. This includes Oracle's Java, Adobe's Flash, Microsoft's Silverlight, and Cisco's WebEx. Malware and malvertisements often exploit these vulnerabilities, infecting browsers and computers. This tutorial tests for the presence of common plugins that pose a high risk, such as having a large number of known exploits. For example, Java, Flash, and Silverlight each have new vulnerabilities disclosed and new critical patches released almost every month; and this has been going on for years. To put it bluntly: If every month of every year yields a new set of patches that address new high risks, then these plugins are not safe for everyday use.

Most users who visit FotoForensics do not have detectable malware on their systems. However, about 1% of users that visit this site do have some kind of detectable malware. A majority of the infected browsers have some kind of adware and no ad blocker. Often, users have multiple infections (e.g., spyware and adware and a virus).

Staying Safe Online

There are a steps that users can take to reduce their likelihood of getting a computer infection:

Mitigation	Rational
Patch	Many types of malware exploit vulnerabilities in your computer software. Having up-to-date software prevents the spread of viruses and worms. Web browsers and email systems are particularly vulnerable to malware attacks. These applications receive data from the Internet and automatically run commands. Be sure that your browser and email programs are up-to-date.
Disable	Browser plugins provide additional functionality, but also provide footholds for malware. If you do not need the additional functionality, then turn it off. For example, most web sites require JavaScript, so you should probably leave JavaScript turned on. However, very few web sites require Java (Java is not the same as JavaScript). Java has a large number of known vulnerabilities that put your system at risk. Unless you have a specific need to have Java enabled, you should keep it turned off. The same goes for Adobe's Flash, Microsoft's Silverlight, and most other plugins. If you need the functionality, then be sure to patch often. If you do not need the functionality, then disable or remove it. If you only need the functionality for a specific use, then enable click-to-use; do not allow it to autorun. Most web browsers have a configuration menu for managing Java support, Add-ons, Plug-ins, Applications, and Extensions. This includes specifying the default action. You can choose to disable the additional functionality or prompt the user before activating it (e.g., set the action to "Always ask").
Anti-virus	Anti-virus software looks for malware signatures and takes steps to mitigate infection. Some anti-virus systems perform real-time scans in order to immediately detect and prevent infections. However, new malware comes out daily. Make sure your anti-virus signatures are updated often. Most anti-virus tools are reactive and not proactive. They only detect malware that they know about. Surveys have repeatedly shown that most anti-virus systems only detect about 70% of the computer viruses out there, and most anti-virus software detect less than 60% of new malware. In 2008, the CEO of anti-virus vendor Trend Micro, Eva Chen, declared: "I've been feeling that the anti-virus industry sucks. If you have 5.5 million new viruses out there how can you claim this industry is doing the right job?" Simply having an anti-virus system is not enough. You need to regularly update the anti-virus database and practice good online habits.
Stranger danger	Do not open emails from unknown people. Do not open unexpected attachments. Trojans often appear as unexpected attachments or as emails from strangers. The simple act of opening the email or viewing the attachment could be enough to trigger an infection. When in doubt, just delete.
Beware of ads	Online ads may appear temping, but be careful: some online offers are designed to infect your system. Ads that can be mistaken for content are likely trying to deceive you into activating some code. Watch out for ads that appear to have "buttons" to click or are positioned next to places where you might activate them by accident. Ads that are positioned to be accidentally clicked on are often hostile. Many "free" cellphone apps position ads in places where they can be easily clicked on by accident. Some online ads include malware. Called malvertisements, these ads can infect your computer just by being displayed in the web browser. Be sure to use an ad-blocker with your web browser.
Public problems	Public computers and free wireless networks are more likely to be infected or hostile. Do not use public systems for private communications. Just as a cold or flu can hang around on public surfaces, like doorknobs and faucets, a computer virus can be easily spread among public computer systems. One user may infect the public computer, and the next user will pick up the infection. Public wireless networks are equally risky. If your computer has an unpatched vulnerability, then another computer on the public network may transmit a worm to your system. In addition, hostile systems on the public network may attempt to intercept your network connections. Relying on "HTTPS" to protect your network connection is not enough. Never access anything that requires a login (such as your bank account, Facebook, or Twitter) from a public wireless network.
Share safely	Beware of sharing USB thumbdrives. Never use a CD-ROM or DVD that comes from an unknown source. If you put a clean USB drive into an infected computer, then the USB drive may become infected immediately. (That's what viruses do!) If you then put the infected drive in your computer, then your computer will become infected. Always check media, such as thumbdrives, CD-ROMs, and DVDs, with an anti-virus scanner before you use them.
Browse safely	Watch out for sites that require you to install software, enable Java, or disable your anti-virus or ad-blocker. Some web sites require you to install unknown software, or to weaken your defenses by turning off your anti-virus or disabling ad-blockers. If you see this, then get away from that site as fast as possible. A safe web site should never tell you to do something unsafe.
Avoid bad habits	If you find yourself clicking a series of popup confirmation windows ("Yes", "Yes", "Yes"...) then you are probably infected. Regular software rarely requires multiple confirmations. In constrast, malware usually triggers alerts, causing a series of "Are you sure?" prompts and popup confirmations.
Watch out	Keep an eye out for unexpected behavior. If your computer suddenly starts doing something new (and annoying), then it could be an indication of a malware infection. If your computer is suddenly running very slow, windows keep popping up, applications randomly open and close rapidly in the background, or new programs (that you don't recognize) start appearing on your taskbar, then your computer is probably infected with something. Don't ignore a computer infection. It won't go away and it won't get better over time.

Most consumers detect malware after the fact. First the computer is infected and then the user notices odd behavior. After raising suspicion, users resort to tools that detect infected systems and usually confirm the bad news.

Detecting malware is relatively easy. Removing malware is usually difficult. Most malware do not include "uninstall" programs. And adware, spyware, and trojans that do have an uninstaller are either unlikely to remove the software or may leave the computer in an unstable state.

If you find malware on your system, then you should contact your system administrator or a company that specializes in malware removal. For some of the simpler malware, you might get lucky and find step-by-step removal instructions online. (We do not recommend buying software online from some unknown vendor that claims to be able to fix your specific problem. Some of those paid removal systems are actually more malware. You are better off paying a professional the same money to get the removal done correctly.)

FotoForensics does not specialize in malware removal and cannot provide assistance with mitigating any problems. (Please don't ask us for assistance. We cannot help you.)